Evolving Role of Government in Cyber Security

The 21st century has so far signaled an era of wide-scale deregulation and privatization, with much of the nation’s critical infrastructures (energy, transport, finance, medicine) now in the hands of the private sector.

These critical infrastructures are constantly targeted by adversaries ranging from non-state actors such as terrorist groups, hacktivist groups, organized criminals, etc. to state actors, and due to our high degree of interconnectedness across the globe, security incidents can exert cascading and crippling effects nationally, regionally and even internationally.

Part of the reason why it can be difficult to secure critical infrastructures is due to the divergence of interests between the private and public sectors. The private sector’s primary focus is corporate efficiency: in terms of security, it does what it believes is “enough”, implementing the bare minimum level of security, since its main goal is profit-making. The government, in contrast, is principally concerned with achieving social order, national security and economic prosperity for its population.

A 2010 Euro Social Survey reported that almost 70% of EU citizens find it very important that governments ensure the safety of citizens against all threats. Yet governments today do not provide close supervision of, or operational control over, these critical infrastructures that now fall within the realm of the private sector. As a result, it has been argued that the role of government as the legitimate provider of security has diminished, and that it will continue to weaken moving forward.

As I meet with different governing bodies around the world, my strong impression is that this matter is by no means straightforward for them, and that they are indeed grappling with the challenge of determining what their roles in cyber security could or should be, especially vis-a-vis the private sector.

I argue, however, that the changing global landscape should not require that the role of governments as the legitimate provider of security be diminished, on the condition they are able to understand clearly how the world has changed and is changing, and what their role(s) should be within this new environment of increasing interconnectedness.

Furthermore, I argue that, in order for governments to be successful in this new environment, their remit must transcend what their historical regulatory role has typically entailed. They now need to tackle the questions of how they can best assist the private sector to invest in security (facilitation), and how public and private sectors can together improve the current state of security (collaboration). To formulate a viable approach going forward, this is the framework through which governments must strategize, and they must be ready to draw upon analogous lessons learned from past preparedness efforts geared towards other areas of threat, such as pandemic and terrorism.

thank you for your interesting comments on my blog article. I have had the opportunities to participate in a number of Chief Information Security Officer (CISO) round tables and these CISOs are mostly from pretty prominent private sector organizations, quite a few of which own critical infrastructures in different countries. My observation is there are quite a few factors influencing how much a private sector organization is willing to invest in security. For example in some organizations there is no strong security culture within the upper management ranks, so the CISO is really fighting an uphill battle in trying to get security on top of his / her organization’s agenda. Some organizations have the belief that if you want to solve the security problem, all you have to do is to go out there and buy point security products but they are not allowed to hire more skilled security people. There are a lot more factors than what I can enumerate in this response, but what I strongly believe is governments must play a contributing role and be willing to pony up resources in the form of money and people to help with this. What governments should do is to understand the different factors affecting how private sector make security investment, and with that understanding, governments can use a combination of the 3 measures that I introduced in my article (Regulate, Facilitate, Collaborate) to affect change in private sector’s attitude and behaviour toward security.

On whether there is a need for non-profit organizations helping to bridge the gap, I think it comes down to the 2-way trust between the private and public sector. If there is a trust deficit I can see how a trusted 3rd party organization playing an instrumental role in this. Not sure if I can answer the question whether the model can help the Chinese, but generally speaking less democratic countries are more focused on regulating content whereas the more democratic countries have less emphasis on regulating content and are more focused on threat to their critical infrastructures.

Kah Kin Ho, thanks for your excellent thinking here. Surely, one can agree with your suggestions, especially when there is a lack of supervision of critical infrastructures and/or operational controls in the private sector. However, the issue that keeps coming up in this discourse about the role of government, is the extent to which the private sector can be trusted, knowing that, they have a profit or corporate efficiency agenda, which limits them to related resources, whereas govt is interested in “achieving social order, national security and economic prosperity for its population.” One can agree there is a need for some form of collaboration and shared approach within your paradigm where govt must have an updating system to keep them abreast with implementing current changes. Do you think it is time to see non profit organizations help bridge the gap between corporate and government interests in this matter? Do you think your model will be helpful to the Chinese who already have much within their control? Thanks for sharing.